This is probably due to my lack of understanding. I'm using WebPy to
create a Python based web application.
According to "Javascript: The Definitive Guide" by Flannagan:
"[cookies] are still uploaded to the web server in the request for any
web page with which they are associated."
In the client application Javascript, a cookie is created. The main use
of this cookie is to coordinate information between related HTML pages.
This cookie is associated with the root web page of the application and
is available to all the HTML pages. It seems to be properly working
between the HTML pages.
My understanding of the above statement is that the cookie is also sent
to the server, which I could actually use. In the application, the user
fills out several pages of information. I'm using the cookie so that the
user can navigate among these pages with the back and forward arrows in
the browser.
When they leave the last page, this information needs to be sent to the
server for processing.
WebPy has a function to retrieve the cookies passed to the CGI app.
Basically, that just extracts the HTTP_COOKIE environment variable. In
my app, that is always coming back empty.
Another thing I though I could use the cookie for is to make sure that
the user has arrived at this page after going through the initial logon
page. I know it's not rock-solid security, but when the user visits the
logon page, they enter their name and password. That is then validated
by the server which re-directs them to the application main menu. That
main menu page creates the cookie including their user id. I was
thinking that if the server ever received a request for a page inside
the application and there was no cookie (or the cookie didn't have a
user id), the server could redirect them back to the logon screen. That
would prevent someone bypassing the logon by entering the page address
directly.